Closed esgoodman closed 9 years ago
We asked the cybersecurity channel for their thoughts. The results: NO on (1) and (4), YES PLEASE to (2) and (3). (2) and (3) are compatible, with (2) layering features onto (3).
@dhcole added some nuance:
+1: 2factor is super important and app devs might want to leverage it, -1: yes, but myusa is just delegating authorization to another service (google oauth or email + link verification) and 2-factor should happen there
@adelevie and @yozlet, how hard would it be to make 2FA mandatory for some integrations but not others?
:+1:
Looking at Google's 2-step verification guide as inspiration as we start to do ours.
Have you seen any other examples for 2FA verification that does a nice job of educating visitors step by step? cc: @yozlet @adelevie @esgoodman @juliaelman @jackiekazil @harrisj
I feel like Google's flow may be more elaborate than we need. There's a mural.ly doc where I've been collecting examples: https://mural.ly/t/gsa6/m/gsa6/1426803022441.
Closing because we've decided this and are now implementing the decision.
Two-factor authentication is implemented and functional. However, we have a number of UX questions about where and how it shows up.
The options up for discussion are:
Assumptions: most 18F-ers and other federal employees using MyUSA more than once a month will go through Google OAuth or through secure gov’t email. Based on pretty reliable data, we think that non-federal employees who make a MyUSA account will use the account once or twice a year.